This key is used to encrypt all database master keys as well as all server-level secrets such as credential secrets or linked server login passwords. The key itself is a 128bit 3DES key. The 3DES algorithm was chosen because of its availability on all Windows platforms supported by SQL Server 2005. The SMK is encrypted using DPAPI and the service account credentials. A second encryption of the SMK will be added in future builds.

Database Master Keys (DMK)

There can be only one such key per each database. Like the SMK, each DMK is a 128bit 3DES key. The DMKs are encrypted using a password and by default an additional encryption by the SMK is also made. A DMK is used to protect database level secrets such as the private keys of certificates or asymmetric keys. The purpose of the encryption by the SMK is to allow the server to be able to internally decrypt the DMK without requiring a password from the user. If this is not desired (because every sysadmin would have access to the DMK), the SMK encryption can be removed, but then the DMK can only be opened by specifying the password that was used to encrypt it.